MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 efe9ac26875d3be8e971947fa4fbaadc5a3c6e6d202a50c716a90f24e5974e25. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: efe9ac26875d3be8e971947fa4fbaadc5a3c6e6d202a50c716a90f24e5974e25
SHA3-384 hash: 6f73403d6229a25387717522144ec400088e544c7b6e89697b144fd44fdc2fcdb402651314a51b6a6b5de52f8ad94157
SHA1 hash: 4cd209f549b97a1087b8111962e90d4867c3e55b
MD5 hash: 7d080b620bbbc1b2f02b2a2fd8623ec8
humanhash: maryland-harry-wisconsin-mississippi
File name:7d080b620bbbc1b2f02b2a2fd8623ec8
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:298'496 bytes
First seen:2021-09-13 13:55:42 UTC
Last seen:2021-09-13 15:24:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4c90767c35dbcc528936a0ed1ce028de (4 x RedLineStealer, 3 x RaccoonStealer, 3 x Stop)
ssdeep 6144:tnTZvL7SH5mrWGValPoh1o3mlMGONq3m/1/xigo+:ZtfSH5mSmkPocsOI3mji
Threatray 1'951 similar samples on MalwareBazaar
TLSH T19154E0113AA0C833C2B70D307825D7E58A7AFD716960859777683B3E6F312F09E2A756
dhash icon a3bcdcac9c8cb484 (4 x Glupteba, 4 x Smoke Loader, 2 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7d080b620bbbc1b2f02b2a2fd8623ec8
Verdict:
Malicious activity
Analysis date:
2021-09-13 14:07:05 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/f485b317-d7f9-4d8c-aeaa-2ef02ff09f67

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/187487/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.874.10056.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Launching a service
Creating a window
DNS request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Connection attempt
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61750274db358dd15ed91bcf/reports/6ec396c8-cc84-492f-8a61-62f01932b0bf/overview
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/20be3e03-4569-480b-aaf1-52b3dfb7e18b
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/849852
Signature
Found malware configuration
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/efe9ac26875d3be8e971947fa4fbaadc5a3c6e6d202a50c716a90f24e5974e25/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-09-13 13:56:09 UTC
AV detection:
26 of 27 (96.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=57u2yjuhlu56r2lrsr72j65k3rndy3tneavfbrywvehsjzmxjysq._file
Verdict:
malicious
Similar samples:
0a9ff0b46182a441c0f9c021722817984ec884266c123d2fd6257f9c70d322ab
RedLineStealer
2ec7c847f0688dff3229c676bb15e88e1c576bcb67157341887ffc3a20375190
RedLineStealer
78923e3f6b4268a4df9f76b94af36dbd969aec16f3fb87ec05a9650815c02ce6
RedLineStealer
873e0fcc2e0ebe7488c085d7001ce2cd05b8c4dbcb0e9d6f2d9642f73b5314ff
RedLineStealer
9936fdf7d05d744fb202fa1c3135272f83d3ae0362869a14df0ead09461dfe9e
RedLineStealer
aa5e9ff271143c3cd205988c3100f1bb844d70d2930f04a2b2002e9c0951a74e
RedLineStealer
c9371cc485825207fe107e6600c14cfd9049c34f74c8c7332f16a20afea88164
RedLineStealer
d828678d918a633c4961c98ef7a8c5620d0f63641a6fa5565a1e979a62af2e2d
RedLineStealer
faf49f9b1d785e077bd17c37eddec80c57d3ffc843a745e6854c9b7a6812b7e0
RedLineStealer
+ 1'941 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:10fk discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210913-q8qb6adgf4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.45.192.203:80
Unpacked files
SH256 hash:
c69d2b521927233cca0a70851c00b578eba4ff495f58eafdfa238fc855c5c2f9
MD5 hash:
68e4ffcd9c937e7bbbcd0bd7238a9f58
SHA1 hash:
d17950b3d921397d2c4b348f4a6b77ff44bbb098
Link:
https://www.unpac.me/results/bc1fc62e-f606-48f4-9841-366c92666475/
SH256 hash:
944a7b52edc8f3c4788c9f0d8f7262ea0f17db33d4b4db0037fd3494a9fa840c
MD5 hash:
de8949e206201d19f6ef6b86d6c79af5
SHA1 hash:
5898ac2fd87d8f595694febb1ab26df046ae77cd
Link:
https://www.unpac.me/results/bc1fc62e-f606-48f4-9841-366c92666475/
SH256 hash:
703d64daaf2c04190f271a6dd7dc105e89c9a55771922e6a19bacbd27a61eff1
MD5 hash:
5a4c1d893e5e6159dcfddc51a76a6c94
SHA1 hash:
18c94440594a2168b6652bb3bbea7a07f3312c70
Link:
https://www.unpac.me/results/bc1fc62e-f606-48f4-9841-366c92666475/
SH256 hash:
efe9ac26875d3be8e971947fa4fbaadc5a3c6e6d202a50c716a90f24e5974e25
MD5 hash:
7d080b620bbbc1b2f02b2a2fd8623ec8
SHA1 hash:
4cd209f549b97a1087b8111962e90d4867c3e55b
Link:
https://www.unpac.me/results/bc1fc62e-f606-48f4-9841-366c92666475/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/efe9ac26875d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/efe9ac26875d3be8e971947fa4fbaadc5a3c6e6d202a50c716a90f24e5974e25

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe efe9ac26875d3be8e971947fa4fbaadc5a3c6e6d202a50c716a90f24e5974e25

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1603674/
Cape
Cape
https://www.capesandbox.com/analysis/187487/

Comments


Avatar
zbet commented on 2021-09-13 13:55:43 UTC

url : hxxp://103.169.90.205/blog/upload/sefile2.exe